What it is
A Microsoft.Web/connections resource, the authenticated link a Logic App uses to reach a service like Office 365, SQL, Salesforce, or a storage account, that is no longer referenced by any Logic App workflow. It runs nothing, but it retains the authentication it was set up with.
Why it happens
API Connections are created during the connector setup flow and authorized once, storing an OAuth token, API key, or service-principal secret so a workflow can act on your behalf. Azure does not expose a back-reference from a connection to the Logic Apps that use it, so when the last workflow referencing it is deleted or rewired, the connection is simply left behind. Nothing on the bill and nothing in the portal nudges you to remove it.
The result is a credential-hygiene problem, not just clutter. A connection named o365-mailer may still hold a live token with mailbox permissions long after the automation that needed it was retired. It counts as standing access to a third-party service, sitting outside the usual identity reviews because it does not look like a role assignment or a service-principal secret, even though it functions like one.
What it costs / blast radius
Azure does not charge for an API Connection, so there is no cost angle. The blast radius is the retained credential: an orphaned connection can hold a still-valid token or key granting access to email, databases, or SaaS APIs, with no workflow accountable for it. That is standing access nobody is watching, and it is easy to miss precisely because it is not shaped like the identities security teams usually audit. (Authored assessment of Azure behavior.)
See it
// List every API Connection, then cross-check which workflow parameters
// reference them; any connection with no referencing workflow is orphaned.
Resources
| where type =~ 'microsoft.web/connections'
| project connId = tolower(id), name, resourceGroup, subscriptionId,
api = tostring(properties.api.displayName),
status = tostring(properties.statuses[0].status)// Confirm no Logic App still uses it, then delete to purge the stored auth.
az resource delete \
--resource-type Microsoft.Web/connections \
--name o365-mailer \
--resource-group rg-integrationHow StratoLens helps
StratoLens flags API Connections that no Logic App references automatically and continuously across every subscription in your tenant, so a stored credential does not linger after the workflow that needed it is gone. You get the connections worth revoking surfaced for you instead of discovering them during an incident.